LogRhythm NextGen SIEM Platform

Security Awareness: Taking Advantage of Opportunity

Security Awareness is an incredibly important aspect of any security program. As we’ve seen in countless high-profile breaches, users are consistently the path of least resistance into any organization. Which is why training employees to identify ‘suspiciousness’ and react in a safe and effective manner is just as important as maintaining perimeter security and aggregating log data. Since LogRhythm is a security-focused company, we take a more aggressive approach than most when it comes to Security Awareness training by testing our defenses regularly, in realistic ways.

Open Wireless networks are the perfect medium for malicious activity and criminals have leveraged this attack vector in many high profile intrusions for years. One of the more recent and public Wi-Fi attacks came to be known as “Dark Hotel.” In this scenario, the attackers preemptively compromised a hotel network which they know their target would be visiting. They leveraged the Wireless network to deploy their malware to hotel guests for around seven years. This is just one of the more notable breaches involving a public Wireless network; though this case is a bit different than a true rogue AP attack. For this reason, training your employees on the security precautions they can take when using such networks is incredibly important.

Recently, LogRhythm hosted one of our many regular sales events. This is a time when a majority of the organization gathers in Colorado to meet and discuss the future of the company. We decided to use this event as a learning opportunity. Since employees from all around the world gather in one central location for the event, we launched a rogue access point attack with the goal of simulating an adversary targeting LogRhythm employees. This is a fairly straight forward attack in that we hid multiple Wi-Fi Pineapples throughout the hotel and captured employee domain credentials using a custom captive portal (note – we only captured usernames for obvious reasons). Luckily we have some very sharp folks working here and many reported the pineapples immediately, one guy even found one of the Pineapples. Had this been a real attack, it would have been shut down hard and fast due to the diligence of our employees.

Exercises like this are usually not common within non-security focused organizations, however it is important for security awareness training programs to take multiple attack vectors into account when evaluating their overall security posture. By now, most people are well aware of generic phishing attacks – however training exercises such as deploying rogue access points are not often conducted internally. This is why I’d like to walk through how to conduct such an exercise and train your employees to report things that just “don’t feel right.”

If you frequent the LogRhythm blog, you may have read through the xfinity pineapple post that I put together last year. Since then, I’ve received many questions around exactly how to build such an attack using the Wi-Fi Pineapple. Primarily because I didn’t really dive into the code and this can be a bit more complex than some of the other deployment options, such as PwnSTAR. To help out with this, Labs put together two blank captive portal templates that can be used with either vector in order to assist both penetration testers and various organizations with orchestrating similar training exercises.

Essentially, deploying this attack comes down to a couple key aspects and both Mark Vankempen and Michael Logoyda deserve some major props for figuring out the JavaScript specifics of the Pineapple captive portal. In fact, Mark decided to swing by the hotel to do a little recon and testing before everyone arrived. The hotel staff asked what he was up to, and he told them the truth, that he was there to set up some wireless access points for the LogRhythm meetings. The hotel staff then very graciously provided him with power strips, extension cords, and even credentials to the hotel’s access points. This was all done with no verification of Mark’s identity and relationship to LogRhythm, which gives you an idea of how easily this could be done by just about anyone. Maybe even using the real access points…

Getting back to the Pineapple configuration, I like to deploy captive portals using a basic redirect within the NodogSplash configuration — this allows you to stand up various captive portals quickly and easily. All you need to do is point to the new web directory where the actual portal pages will be stored. This also gives you the ability to use PHP scripts, which is not possible on the initial splash page.

Figure 2: Splash Page (click to enlarge)

With the basic splash redirect in place, this opens up the possibility of very elaborate captive portals. This can contain whatever you’d like — anything from a false login form to malicious content delivered via browser exploit. The latter is easy as you can simply pass the client through, however capturing form data is not as straightforward as it sounds — at least not on the Pineapple. In fact there is a thread dedicated to deploying a specific captive portal attack on the Pineapple, which still does not have a definitive answer. Mainly because this attack would be dangerous in the hands of someone who doesn’t really understand the legalities of what they are doing and giving away the easy solution would be irresponsible in my opinion… So, I’d like to cover the attack in general to help folks better understand how to defend against it.

As you saw in the splash page above, we are passing the authtarget variable through. On the actual landing page, we need to add two small JavaScript scripts. The first of which is a script that should be placed in the header of the landing page. Without getting into too much detail, this essentially captures the authtarget link and allows it to be used as a variable.

Figure 3: Landing Page JavaScript – Part 1

The next bit of JavaScript needs to be placed within the form. This allows us to pass the authtarget variable through so it can be used by our form processor and actually allow the user through to the Internet.

Figure 4: Landing Page JavaScript – Part 2

The final piece of this is the PHP form processor. This page basically appends each login attempt to a flat file by capturing the entire contents of the POST data and subsequently allows the user through to the authtarget link once the form has been successfully submitted.

Figure 5: PHP Form Processor

Make sure to set permissions properly so your Pineapple doesn’t get owned and that’s it! Now, just give the access point an interesting SSID, launch the captive portal, then sit back and watch the credentials flow…

Beware duplicate networks or the system connecting to your ‘home network’ when you’re really nowhere near your home.

Use caution when your Wireless connection suddenly drops and re-establishes itself, especially if this happens to everyone around you.

If it just ‘doesn’t feel right’ then trust your instincts…

Attackers thrive on opportunity. Even something as simple as a target visiting an unfamiliar location can be a goldmine for an adversary — allowing them to manipulate the environment around their mark. Why don’t we as security practitioners do the same? It is important to think outside the box and leverage unique attack vectors to actively test employees. Not only are they your greatest asset, they can often be your weakest point. Training employees on how to recognize and respond to various attacks is crucial to the overall security posture of your organization.